Krebs on Security

In-depth security news and investigation

Epsilon Breach Raises Specter of Spear Phishing

Security experts are warning consumers to be especially alert for targeted email scams in the coming weeks and months, following a breach at a major email marketing firm that exposed names and email addresses for customers of some of the nation’s largest banks and corporate brand names.

Late last week, Irving, Texas based Epsilon issued a brief statement warning that hackers had stolen customer email addresses and names belonging to a “subset of its clients.” Epsilon didn’t name the clients that had customer data lost in the breach; that information would come trickling out over the weekend, as dozens of major corporations began warning customers to be wary of unsolicited email scams that may impersonate their brands as a result.

Among Epsilon’s clients affected are three of the top ten U.S. banks – JP Morgan Chase, Citibank and U.S. Bank — as well as Barclays Bank and Capital One. More than two dozen other brands have alerted customers to data lost in the Epsilon breach (a list of companies known to have been impacted is at the bottom of this post).

Rod Rasmussen, chief technology officer at Internet Identity and the industry liaison for the Anti-Phishing Working Group, believes that the Epsilon breach will lead to an increase in “spear phishing” attacks, those that take advantage of known trust relationships between corporations and customers by crafting personalized messages that address recipients by name, thereby increasing the apparent authenticity of the email.

“I think this is going to make a big difference in spear phishing, where you may not be targeting an individual, but you know that that person has a bank account with US Bank and recently stayed at Disney,” Rasmussen said. “You now can automate spam based on things people have actually done, so your missive that they need to log into your phishing site is much more affective. You can also correlate across your data to see all the services someone is using, phish them for a user/password on something innocuous, and then re-use the same password for the bank they use, since there’s such rampant password re-use out there.”

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE) and a former executive at email service provider ReturnPath, said his organization plans to release a document later today spelling out security measures that providers should be taking, such as encrypting customer data.

“There are best practices that the major of the industry should have implemented a year ago, but never did, and it’s just disgusting and reprehensible that they haven’t done this stuff yet,” Schwartzman said. “I’ve talked to people in other industrial sectors who said if my external auditors found out we were treating customer data this way, we’d be in serious trouble.”

Schwartzman said Internet service providers should start treating even opt-in commercial email as “highly circumspect.”

“To protect users, ISPs should be upgrading anti-phishing facilities, and demanding strict compliance with anti-spam [standards],” Schwartzman said. “At this point, the email senders certainly are in the ring with Mike Tyson in his prime.”

Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, said the breaches at Epsilon and other email senders should never have happened.

“The right security controls — or overall architecture, not keeping a Ft. Knox of email addresses lazily on the Internet, even behind a password — could prevent this,” Zittrain wrote in an email to KrebsOnSecurity.com. “Worse, customers who specifically asked to opt out of marketing emails were also affected. Opting out should mean genuine removal from the database, rather than retention in the database with a marker indicating that someone has opted out.”

Zittrain said he received notices from two of the companies impacted by the Epsilon breach, and that neither company mentioned the source of the problem.

“Reminiscent of credit card companies’ reporting of merchant breaches — they do not say who lost the data,” Zittrain said. “Why would the front line companies go out of their way to protect the firm that was asleep at the switch?”

It’s not clear how many more disclosures are still to come. Epsilon declined to comment beyond its sparse four-sentence statement. The company’s site says Epsilon serves approximately 2,500 clients, and sends about 40 billion marketing messages for clients annually.

Here is a list of companies that have acknowledged losing customer contact data and email addresses as a result of the Epsilon breach. Got a notice from a company that’s not already on this list? Sound off in the comments below.

Update, 3:14 p.m. ET: If at all possible, please paste a copy of the communication in your comment only if you don’t see the name of the affected entity in the list below. Databreaches.net has links to some of the disclosure letters, which I will try to add to the individual brand names below as well. Early reports suggested Borders and Verizon had also issued alerts, but those are unconfirmed and have been removed from the list for now.

Update, 3:22 p.m. ET: Heard back from the PR folks at Borders, who said the company was not impacted by the Epsilon breach.

Update, 5:14 p.m. ET: Corrected the number of clients Epsilon currently has and the volume of email they send annually.

Update, Apr. 5, 11:01 a.m. ET: Visa says it was not impacted by the Epsilon breach.

Update, Apr. 5, 3:42 p.m. ET: Added Bebe, Soccer.com, Eddie Bauer, 1800Flowers, among others. Removed American Express, which says it was not affected. It seems the confusion over Amex and Visa stemmed from cardholders getting notices through various rewards programs.

This entry was posted on Monday, April 4th, 2011 at 11:28 am and is filed under A Little Sunshine, Latest Warnings.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

160 comments

I conducted a survey in the last few days and sure enough most people who got an email from Epsilon affected companies or heard “something” in the news, were not disturbed by it.

Most saw it as a reminder not give out personal information when requested through email and some said they will continue to be leary of clicking any links embedded in an email. Few seemed to be concerned and passed it off as yet another company demonstrating they have sloppy business practices. Guess you might say this latest event gave companies an opportunity to be part of a good public service message.

Interestingly enough, most people seemed somewhat immune to being emotionally upset because in the past (5) years or so, they have received a number of emails and letters saying their personal information may be compromised due to a breach or a hack. Only a few were even vaguely aware of the Heartland breach.

Worse, business and organizations are complicit in the problem continuing. Why? Because lobbyists for special interests groups spend millions to ensure the privacy and security laws get watered down, continue lots of reporting and response loopholes, limits financial responsibilities, contain little efficacy and government agencies do not enforced unless it’s a high profile case, this leaves consumers in no better place for real security with respect to any and all personal information. Companies, healthcare professionals, lawyers, accountants etc. have complained about the inconvenience and the cost of complying with security/privacy laws giving the impression consumer security runs secondary to “their” concerns. This statement is supported by the lawsuits filed relating to compliance with the federal law Red Flags Rule.

I applaud companies and organizations that adopt serious security programs… and not because the law forces them to… or they are afraid of damage to their brand. They do it because it’s the right thing to do – treat personal information the way they expect others to treat theirs. Companies taking securing PI should be a growing number instead of a stagnant or shrinking one.

Even with financial institutions falling under strict guidelances under various laws and oversight, some of the more high profile ones were still part of this Epsilon breach. What happened to the part of Red Flags Rule did they not get which requires them to ensure 3rd parties they share information with have proper security in place to protect such information? Where is the voice of the FTC? Why are they silent about compliance given the date for FTC enforcement went into effect January 1, 2011???

In a nutshell, and sadly, most likely, when the dust settles, this event will be forgotten and people will go back to the status quo – doing little more than complain when another one hack or breach happens again.

What upsets me more is that Epsilon is not revealing much details of the breach. There communications have been carefully drafted by their marketing folks to downplay the seriousness.

We victims deserve to know more details such as technical details of the “unauthorized entry” attack, when exactly the attack was started, how badly and how many times their servers were hacked during the duration, what facts convinced them that no other data was leaked, who audited their security practices (they claimed it was always reviewed rigorously), etc.

I hope they do not announce in a couple of weeks that they actually did not realize how bad the breach was, and they leaked much more data..

BTW, in the messages I received, I found the following statements a bit funny:

Chase’s signature says: Your personal information is protected by advanced technology.
BestBuy says: We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

My question is what, if any, security assessment on Epsilon was done by Chase, BestBuy and others?

This email was sent to you by World Financial Network National Bank (WFNNB). WFNNB issues your Victoria’s Secret Credit Card Account.

Dear Valued Customer,

Your privacy is extremely important to us, and we wanted to share the following information with you. We discovered that an unauthorized party has gained access to files containing email addresses associated with several companies including Victoria’s Secret credit cards.

While your email address and/or name may have been included in these files, no sensitive financial or other personal information was compromised. However because of the circumstance, you may receive spam emails. We sincerely apologize for any inconvenience this may cause.

For your security, we remind you to never provide personal information to unknown individuals/businesses online and avoid opening suspicious email links or attachments.

Again, we are very sorry that this occurred and are working diligently to maintain your trust. If you have any questions or need further assistance, please call the WFNNB Customer Service Center at the phone number listed on the back of your credit card.

As a valued Scottrade customer or someone who previously provided us with your email address, we want to make you aware of a situation that affects your email security. We have been notified by Epsilon, a company we use to send emails, that an unauthorized person outside of their company accessed records that contained your name and email address.

This incident occurred at Epsilon. We want to assure you that Scottrade’s systems were not affected and your account information remains secure.

I’m going to light a bit of a fire here by asking a few questions we should all be pondering…

Epsilon purchased the Direct Marketing Services of Equifax… the credit burea for all those who don’t know of Equifax. My question is, what information did Epsilon obtain in the acquisition? Was personal financial information of any kind obtain in this acquisition? If so, theft of our email information should be the least of our worries.
—————————————————————————-
Here is a quote I got off the net regarding the purchase of Equifax DMS:

“We’re excited about the business synergies and strategic fit,” said Kennedy. “Equifax’s DMS brings in to the fold several appealing aspects.”

Specifically, Equifax should provide Epsilon with new data sets, and verticals including telecommunications and financial services; additional scale in database development and hosting; additional clients; additional analytics; and management expertise.
—————————————————————————–

Time for Epsilon to fess up about the breach and admit that keyloggers were involved… and if so, do they have ANY idea the depth of the breach?

I know that once the bad guys get into any crack and crevice of a network, they can download all serts of undetectable malware that could be feeding data to the bad guys.

And don’t think for a moment that gateways and huristic technology can catch all malware attacks. The bad guys could be in there laying low… grabbing information and using what they want when they want… escaping detection. If this was a sophisticated attack, phishing scams should be a least of our worries. A attack of this type could have yielded a lot more than email and they are probably smart enough not to attack in mass which would send up red flags.

Something tells me Epsilon is spending millions on forensics to try to determine how far, deep and wide the breach really is and what information is at risk. They are keeping mum right now because they don’t really know… or if they do, they are spending some quality time trying to put together a damage control strategy to keep their clients from fleeing to other marketing companies.

I still think there is undetectable malware all through their system now… laying in wait. 😉

This saga is just beginning. If Epsilon has financial information in their possession, this could be just as bad as the Heartland breach. Until Epsilon or Alliance Data System Corporation reports exactly what data they collect, whether they say it’s secure of not, we should all wonder how safe we are, including all those Equifax consumers.

Thanks for the great insight Teri! Your thoughts take this discussion to another level. I hope others are paying attention to your questions, like perhaps those at the Federal Trade Commission who are charge do ENFORCE THE LAW!

And why aren’t we holding Epsilon’s feet to the fire by asking them to divulge just what type of data they have on their networks that are putting their clients and client’s consumers at risk?

It seems reasonable that if they have possession of more than just email, we need to know the extent of how millions of us should be protecting ourselves other than someone sending us phishing emails.

[Via ComputerWorld] According to Australian ITNews, there was an alert issued in November by Return Path senior director of security strategy Neil Schwartzman, warned of a “serious phishing attack” directed at email service providers and direct mailers.

Phishing emails were targeted at staff responsible for email operations, who have received emails typically with content that mentions the staffer by name, and purports to be from a couple, presumably friends or co-workers.

The phishing attacks were sent to the targets from several different systems, including online greeting card sites, and via a botnet.

The spam email messages contained a link which took users to a malicious site from where particularly nasty malware would be downloaded to the user’s system.

The malware associated with the phishing campaign included Win32.BlkIC.IMG, which disabled anti-virus software, a Trojan keylogger called iStealer, which was used to steal passwords, and an administration tool called CyberGate, which is used to gain gain complete remote control of compromised systems.

So one has to wonder what Security & Awareness Training Epsilon has been giving its staff?

Look at what passes for the news. Let’s call churnalism when we see it, shall we?

First of all, this IT News “story” has no news in it at all. The reporter took a four month old blog post and implied a connection without actually drawing one or managing to interview anyone for the story. There is certainly no quote or information from Epsilon.

The story draws heavily on a piece that I broke back in November that describes an extremely complex attack against more than 100 email service providers.

Don’t waste time entertaining a class action suit. That sort of action only makes the lawyers rich. Class actions are no more than a paycheck that takes years to collect.

Again, we should be putting pressure on the FTC lawyers to drive enforcement with their abilityi to levy fines, penalties and sanctions under its jurisdiction.

In this case, the FTC can expedite actions more quickly than the years it would take to reach a class action settlement.

We should think about the goal which is for Epsilon to take responsibility and show the millions affected how they are going to rectify the breach… how they plan to protect us from future compromises in order for them to stay in business.

We were recently informed by our email service provider that
your email address may have been exposed by unauthorized entry
into their system. Our email service provider deploys emails on
our behalf to customers who have opted into email based
communications from us; they have reported this incident to the
appropriate authorities.

We want to assure you that the only information that may have
been obtained was your name and email address. Your account and
any other personally identifiable information were not at risk.

Please note, it is possible you may receive spam email messages
as a result. We want to urge you to be cautious when opening
links or attachments from unknown third parties. In keeping with
best industry security practices, Lacoste will never ask you to
provide or confirm any information, including credit card
numbers, unless you are on our secure e-commerce site,
shop.lacoste.com.

We regret this has taken place and for any inconvenience this
may have caused you. We take your privacy very seriously, and we
will continue to work diligently to protect your personal
information.

Sincerely,

Lacoste Customer Service

******************************************************************************************
To speak to a Customer Service representative, please call 800-4-LACOSTE.

On April 4, 2011, we were informed by Epsilon, a company we have used to manage email communications on our product websites, that files containing the email addresses of some of our consumers were accessed by an unauthorized third party. You are receiving this message because you have registered on one of our product websites. For a list of our products, please visit our website, http://us.gsk.com/.

The information accessed included email addresses and first and last names. The file from which your name and email address were accessed may have identified the product website on which you registered. We take your privacy seriously and want you to be aware of this situation so that you can remain alert to any unusual or suspicious emails.

One of the primary concerns arising from a breach of this nature is that your information may be used to generate fraudulent email messages that may appear legitimate but are intended to gather confidential information that you would not otherwise reveal.

GlaxoSmithKline Consumer Healthcare will never ask you to provide or confirm any personal information in emails. Do not respond in any way to emails that appear to be coming from GlaxoSmithKline Consumer Healthcare that ask for personal information. If you receive an email requesting this information, you should delete it even if it appears to be legitimate. Any unusual or suspicious emails should be deleted without opening.

We also encourage you to take this opportunity to strengthen your passwords on any of your online accounts, particularly those that use the email address impacted by this breach as an account ID, to ensure your ongoing security. Additional information about protecting your personal information online is available at the Federal Trade Commission’s OnGuard Online website.

GlaxoSmithKline Consumer Healthcare values your privacy and will continue to work to ensure it is protected. We apologize if you receive more than one copy of this message as we are working diligently to ensure you are aware of this situation. If you have unsubscribed from our emails in the past, there is no need to unsubscribe again. Your preferences will remain in place.

If you have any questions about this communication, please feel free to contact one of our knowledgeable consumer relations representatives at 1-800-245-1040.

I rec’d an identical email to Mr. Mann’s above. I contacted Glaxo and they confirmed the email was from them and was associated with the Epsilon breach. They also said the most likely way they had a person’s email was thru prescription orders but could also be thru registering for coupons and other products.

I also received a telephone call from 1-555-555-5555, with a recorded message that my Citi card has been locked, and that I need to press some number to continue. Needless to say I hung up, but I have no doubt it’s related to the Epsilon fiasco.

I also looked at older emails from the 6-7 companies that I’ve received notices from (BestBuy, USBank etc), and nowhere on those emails did it say that it was a 3rd party by the name of Epsilon that was being used for their email needs.

I wonder if my American Express Account has been breached. I am sure that I have opted out of marketing emails if I had the option. I got an email today that had my name and last 4 #s on it. All links on the email are not https. Links have email.americanexpress in it.
It said:

We’re always looking for better ways to deliver timely and relevant information to our Cardmembers. Since you previously opted out of marketing e-mails from American Express, we’d like to tell you about our recently launched E-mail Preference Center.

On this web page, you can select how frequently you receive marketing e-mails, and choose what you find most relevant – from Card benefits and rewards to special travel and shopping offers.

If you decide not to update your marketing e-mail preferences, you will not receive notifications about the rewards and offers you may be eligible for, but will continue to receive servicing communications regarding your account.

Yes, I would like to receive special Cardmember offers. Take me to the E-mail Preference Center.